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Abstract 

Finding an optimal key assignment (subject to given constraints) for a key predistribution scheme 
in wireless sensor networks is a difficult task. Hence, most of the practical schemes are based on 
probabilistic key assignment, which leads to sub-optimal schemes requiring key storage linear in 
the total number of nodes. A graph theoretic framework is introduced to study the fundamental 
tradeoffs between key storage, average key path length (directly related to the battery consumption) 
and resilience (to compromised nodes) of key predistribution schemes for wireless sensor networks. 
Based on the proposed framework, a lower bound on key storage is derived for a given average key 
path length. An upper bound on the compromising probability is also given. This framework also 
leads to the design of key assignment schemes with a storage complexity of the same order as the 
lower bound. 
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1 Introduction 

A sensor network is made up of low-cost nodes operating on battery power. Hence, computation and 
energy consumption are major constraints for the design of sensor networks [3]. Similar to key distribu- 
tion schemes with an online trusted third party server [23,24], the main design goal of key management 
in a sensor network is for entity authentication or initial trust establishment, that is, to allow the sensor 
nodes to identify each other or to distinguish between insiders and outsiders (adversarial nodes) during 
deployment. 

Since the nodes in a sensor network usually belong to the same owner, it is thus fairly reasonable to 
assume all the nodes have prior contact with a common entity or server before deployment; nevertheless, 
using an online server as in [23, 24] is considered as impractical for sensor networks. As a result, to 

*An earlier version of this paper appeared in the proceeding of ICST WiOpt'09. 
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minimize the consumption of resources like computation and energy in order to fulfill the low cost 
constraint, key predistribution schemes (introduced in [19,22]) have emerged as the de facto method for 
achieving initial trust in a sensor network despite that a considerable among of key storage is usually 
needed [1,2,4, 10-13, 16-18]. Note that the family of probabilistic key predistribution schemes [4, 10, 
11, 13, 17, 18] requires key storage which is a linear function of the number of nodes in the network. In 
other words, storage is traded off for reduced computation and longer battery lifetime. Although this 
initial trust also provides private channels among sensor nodes to establish session keys for secret and 
authenticated communication, entity authentication is still the main goal of key predistribution schemes 
(KPS) for any sensor network. 

In KPS, each node is preloaded with some set of secret keys into its key ring before deployment and 
it is assumed that only the owner or nodes belonging to the same owner would know any of these keys. 
Of course, a compromised node would also know part of these keys; so it is one of the design criteria 
of KPS to minimize the impact of a compromised key ring. When two nodes find they share one or 
more common keys, they will recognize each other as belonging to the same owner and thus trust each 
other. Note that this trust is mutual in the sense that when node A trusts node B, node B should also 
trust node A. This trust could also be called a keying relationship between A and B as in [21]. When two 
nodes, A and B, share no common key, they cannot identify each other immediately, but if both of them 
possess established trust with a third node C, of course through shared keys again, they can establish 
trust through C and set up a new key between them to be used as a sign of trust afterwards. We call the 
path A-C-B an authentication or acquaintance chain between A and B. Although misleading, this trust 
establishment process is commonly known as path key establishment in the context of sensor network 
key management since [13]. It is straightforward to see how this trust establishment can be extended 
to a longer acquaintance chain, for instance, A-C-D-E-. . .- B. This is analogous to the authentication 
chain [6, 15] in Public Key Infrastructure (PKI) [8], but they differ in that the trust of the certificate chain 
in PKI is unidirectional while the trust relationship between two nodes connected by an acquaintance 
chain in KPS is mutual; in PKI, when A trusts that a public key belongs to B through some authentication 
path in PKI, it is not necessary that B would trust the authenticity of As public key. 

With this background, we could consider the design objective of any KPS for a sensor network as 
finding a key assignment method allowing any two sensor nodes to authenticate each other through a 
reasonable-length authentication chain with reasonable resource consumption, key storage requirement 
and security, dependant on the application scenarios. Various design variations could be came up with 
by varying the tradeoff between any pair of the desired properties or parameters of a KPS, including key 
storage requirement, network connectivity, energy consumption, resilience to dead nodes and security 
against compromised nodes. 

When discussing entity authentication, it is natural to represent the keying or trust relationships 
between nodes by a graph, just like the certificate graph in PKI [6,21]. We call this type of graph a 
trust graph (t-graph). In a t-graph G, the sensor nodes are represented as vertices in G and an edge 
exists between two vertices only if the corresponding sensor nodes have direct established trust (i.e. they 
share some common keys). The t-graph is indeed used in many existing schemes on sensor network 
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key management [4, 13] to represent the keying relationships between nodes. However, the existing 
work merely uses a t-graph for representation purposes to calculate the probability of connectivity of 
the actual network. We especially study the tradeoff between storage and energy consumption for full 
connectivity. They have overlooked the power of a t-graph as a bridge between the design and analysis of 
sensor network key management and the result-rich graph theory. In this paper, we show how a t-graph 
can be leveraged to demonstrate the tradeoff between the properties of KPS for sensor networks, unify 
the existing schemes under this framework, and give design insight based on graph theoretic results, 
in particular those about graph diameters and intersection graphs. We also give a lower bound on key 
storage based on the proposed framework. This lower bound is generic in the sense that it applies to all 
key predistribution schemes and the graph model in this paper is merely a means to derive this lower 
bound but poses no restriction on the key assignment in the actual KPS. 

The main contribution of this paper is the graph theoretical framework proposed to study key assign- 
ment methods for key predistribution in wireless sensor networks. Such a realization provides a unifying 
view for predistribution schemes and allows the derivation of key storage lower bound and compromising 
probability upper bound for a given constraint on the average key path length (which is directly related 
to energy consumption for bootstrapping a sensor network). The proposed framework also links results 
in graph theory to the design of key assignment schemes. Through such link, we provide a number of 
near optimal key assignment methods. 

The organization of this paper is as follows. The definition of a t-graph is given in the next section 
together with a discussion of the physical connectivity graph of a sensor network. Then, it will be shown 
how the properties or parameter of a KPS is related to the parameters of a t-graph in Section [3] In 
Section HI the tradeoff between these parameters is discussed. After that, a number of near-optimal key 
assignment methods are given in Section [5] 

2 Trust Graph 

In a t-graph or the associated key graph (which can be used to represent any KPS), each node in a sensor 
network is represented as a vertex. In rigorous definitions, there are two main differences between a 
t-graph and its key graph. First, each edge in a t-graph represents established trust between the two end 
vertices while each edge in a key graph represents a key shared by the end vertices. Hence, multiple 
edges between two adjacent vertices are possible in a key graph but not in a t-graph since two sensor 
nodes may share more than one key but the trust relationship is binary (that is, two sensor nodes could 
mutually trust each other or not). Second, a t-graph is an unlabeled graph while the edges of a key graph 
are labeled by keys or key indices. The definitions of a t-graph and its key graph are given below. 

Definition 1 [t-Graph] Given a set of sensor nodes S = {s\, S2, ■ ■ ■ , s n }, a t-graph G is an unlabeled, 
non-weighted graph with a vertex set V(G) = S such that (sj, Sj) G E(G) (the edge set of G) where 
i ^ j if and only if Si and Sj have direct established trust, that is, share some common keys. 
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Definition 2 [Key Graph] Given a set of sensor nodes S — . . . , s n } and a key set K, — 

{k\, kit ■ ■ ■ , kt}, a key graph G is an edge-labeled or edge-colored, non-weighted graph with a ver- 
tex set V(G) = S, a label set equal to K. (or [l,t]) and an edge set E(G) C S x S x K, such that 
(si, Sj, k r ) £ E(G) where i ^ j if and only if and Sj share a common key k r . 

It should be noted that is just some kind of label for a sensor node and it could be of any format, 
not merely the identity of a sensor node. If we label a sensor node by the set of keys it holds, the resulting 
t-graph is an intersection graph [20] Q 

For the sake of clarity, in this paper, we consider a simple key assignment wherein each edge in a t- 
graph is associated with a key. That is, the key graph can simply be obtained from a t-graph by assigning 
key labels to it. Consequently, the problem of designing optimal key assignments reduces to finding an 
optimal t-graph (with desired tradeoffs) for a given application scenario, and then assigning keys to links 
in the t-graph. 

The degree of a node in a t-graph, more precisely, the total number of key labels of all the edges 
ending at a node in a key graph, tells the required key storage of that node. Nevertheless, in most 
cases, the degree of a node in the t-graph gives a good indication of the key storage requirement. In any 
proper KPS, both the t-graph and key graph should be connected, that is, any vertex in the graph should 
be reachable by another. As usual, the distance between any two vertices, denoted by d(si, Sj), is the 
number of edges/hops traversed by the shortest path between Sj and Sj. If two nodes are not connected, 
the corresponding distance is oo, which normally should not happen in a proper KPS. Suppose a t-graph 
G has n vertices, the mean distance d and the diameter D of G are defined as follows: 

D = max Si]S .^ (G) d(si,Sj). 

The mean distance and diameter are explicitly discussed here because they are related to the length 
of the acquaintance chains in a particular t-graph, which are in turn related to the energy consumption 
of establishing trust indirectly between two nodes through an acquaintance chain. The details will be 
discussed in Section [3] 

2.1 Physical Connectivity and Deployed t- Graph 

Recall that KPS aims at allowing physical neighboring nodes (within the radio range of each other) to 
identify each other and establish trusted links. If the actual deployment topology is known, we just need 
to make a t-graph the same as the physical connection topology of the sensor network. The physical 
connection could be best represented by a physical connectivity graph (or physical graph for short) in 
which sensors are represented by vertices and an edge exists between two vertices if and only if they are 
within the radio range of each other. A physical graph is the actual physical topology of a sensor network 
in deployment. In other words, an edge in the physical graph represents that the two end nodes of the 

'it has been shown that each graph is an intersection graph [20]. An explicitly vertex-labeled intersection graph is meant 
here. 



4 




■virtual edges 



(a) t-graph (b) physical graph (c) deployed t-graph 

Figure 1 : Obtaining a deployed t-graph (representing the trusted links that can be established after boot- 
strap) from the original t-graph (representing the established trust relationships among sensor nodes) and 
a physical graph (representing the physical link connectivity in the actual deployed network). 



edge are within reach of each other's radio range and communicate directly without relying on others to 
relay messages. 

We should distinguish a t-graph or key graph from a physical graph of a sensor network; while an 
edge in the latter represents a real physical link between two neighboring sensor nodes, an edge in a t- 
graph (key graph) is just a logical link. In order to set up or boot-strap a secure network, only physically 
neighboring nodes (connected by an edge in the physical graph) having mutual trust (represented by an 
edge in the t-graph) can establish a trusted link. That is, even though two nodes are neighbors in the 
t-graph, the bootstrapped initial trust between them would not be useful if they are not neighbors in the 
physical graph. On the hand, two neighboring nodes within the radio range of each other still cannot 
authenticate or verify the identity of the neighbor if they share no initial secret. If we want to see how 
many trusted links are established in the actual network or equivalently how many edges in the t-graph 
are effective for setting up trusted links in the actual network, we could obtain a deployed t-graph by 
computing the graph-intersection of the t-graph and the physical graph. In a deployed t-graph, only 
edges actually used to set up trusted links in the network are shown. However, an edge in the physical 
graph not overlapped with an edge in the t-graph is shown as a dashed line, called a virtual edge. A 
virtual edge corresponds to a physical link between two sensor nodes in physical proximity having no 
mutual trust. Depicted in Figure Q] shows how a deployed t-graph can be obtained by overlapping the 
original t-graph with a physical graph. 

Additional trusted links can be established from these virtual edges as the nodes in question could au- 
thenticate each other through an acquaintance chain, thus adding edges to the deployed t-graph. The pro- 
cedure is as follows: Suppose Sj and Sj (in physical proximity) wish to authenticate each other through 
an acquaintance chain Sj — s a — Sb — Sj. Note that each neighboring pairs in this chain need to be physical 
neighbors with established trust. Sj randomly picks a key k, encrypts k using the key it shares with s a , 
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and passes it to s a . Then s a retrieves k and encrypts it using the key it shares with Sf, and passes it to Sf,. 
This process continues until Sj is reached. Finally, Sj picks another key k' and encrypts it using k and 
sends it back to s». The key k' or a combination of k and k' would be used as a sign of trust established 
indirectly between Sj and Sj. The last step is necessary for key confirmation. This process in essence 
converts virtual edges into trusted link in the deployed t-graph. How many successful conversion can be 
made depends on the acceptable maximum length of the acquaintance chain. If there is no restriction on 
this length, for a network with proper key assignment, all virtual edges or physical links can be turned 
into trusted links. 

The goal of any KPS for a sensor network is to convert as many virtual edges as possible into real 
edges in the deployed t-graph subject to resource constraints like energy consumption (which poses 
constraints on the maximum length of the acquaintance chain). The energy consumption cost of adding 
one such edge would depends on the length of the acquaintance chain which is related to the mean 
distance and the diameter of the deployed t-graph. Note that for any pair of nodes, the actual acquaintance 
chain in the deployed network is likely to be different from that in the original t-graph, and only nodes 
connected by a multi-hop path in the deployed t-graph could identify each other through an acquaintance 
chain. 

It should be noted that a virtual edge is not an authenticated link and one of its ends could possibly 
be a pre-deployed adversary node. If we insist on using these virtual edges as channels to relay messages 
for indirect trust establishment, a shorter physical path for the acquaintance chain is possible but the 
reliability of this physical path is in doubt. Even worse is a long acquaintance chain including just 
one untrusted edge would render the whole chain insecure, that is, the two end nodes of the chain are 
unsuccessful in verifying the identity of each other. Hence, this approach is feasible only for scenarios 
requiring a low level of security on entity authentication^] 

Since some of the sensor nodes may die before or during deployment, the resulting physical graph 
and thus the deployed t-graph could have a smaller number of vertices than that in the original t-graph. 
Similarly, it is impossible to achieve perfect connectivity in the physical graph due to limited radio range 
of each sensor node; consequently, the number of edges in the immediate deployed t-graph could be sig- 
nificantly less than that in the original t-graph. These two phenomena are equivalent to deleting vertices 
and edges respectively in the original t-graph to obtain the deployed one, causing disconnection of two 
originally connected vertices. These events of disconnection lead to an increase in the diameter and mean 
distance of the deployed t-graph compared to the original t-graph, and if a significant number of them 
occur, the deployed graph could become disconnected even though the original t-graph is connected. The 
length of the acquaintance chain between any two non-neighboring vertices increases accordingly. For 
instance, the two virtual edges shown in Figure. [Qneed a 3-hop chain to authenticate each other whereas 
in the original t-graph a 2-hop chain exists. As a result, node degrees in a t-graph (and key storage re- 
quirement as a consequence) needs to be significantly higher than the number of physical neighbors in 
the actual network in order to tolerate edge and vertex deletion as the physical topology and the resulting 

2 In these scenarios, the number of sensor nodes is usually insignificant and key storage is thus not a serious constraint. As 
a result, this approach may not have any application. 



6 



physical graph are unknown prior to deployment in most cases. 
2.2 Physical Connectivity Model 

As can be seen in the last section, any KPS design needs to suit a particular physical connectivity model. 
If the physical connectivity of the actual deployment is known, the t-graph for optimal key assignment 
is simply the given physical connectivity graph. This paper considers the random graph model in which 
each node has on average b neighbors (including both dead and living nodes) and a fraction of 
nodes die before deployment. The resulting physical graph has n(l — pdie) vertices on average and the 
probability that an edge exists between a pair of nodes is given by 

Plink = (1 ~ Pdief b Z ■ 
n — 1 

It can be shown that, in this kind of physical connectivity model, the parameters (like average node degree 
and average distance) of the resulting deployed trust graph differs from that of the original t-graph by 
a constant factor where the constant is function of pu n k only. As a result, for the sake of clarity, our 
discussions in this paper will be mainly based on the t-graph rather than the actual deployed t-graph. 

3 Relations between KPS Parameters and the Properties of t-graph 

This section shows how the KPS design parameters are related to the properties and parameters of the 
t-graph. In the following discussion, a t-graph is denoted by Gt, its key graph by Gk, the deployed 
t-graph by Gdt, and a physical graph by Gp. To distinguish the parameters of a t-graph from that in 
a key graph or a deployed t-graph/key graph, the parameters are attached with a subscript of T, K or 
DT/DK respectively. For example, the diameters of a t-graph and a deployed t-graph are denoted by 
Dt and Dot respectively in the following discussion. 

3.1 Storage 

The key storage requirement l(si) of a node Sj is equal to the total number of different key labels on all 
the edges (or equivalently the total number of edges) ending at that node in the key graph Gk- Similarly, 
the total number of keys used by the network L is equal to the total number of different key labels on all 
the edges of the key graph. 

K s 'i) = I Us 3 ,3(s l ,s 3 ,fc r )eG if {kr}\, 
L = I U s ,, Sj ,3(s l , Sj ,fc r )eG'K"L fcr ^- 

If we consider a simple key assignment method in which each edge in the t-graph is assigned a single 
distinct key, the storage at a node Sj is simply l(si) = deg(si) (node degree of si) and the total number 
of keys is L = E{G T ). 
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3.2 Connectivity 

We consider the connectivity of the deployed t-graph Gdt obtained by overlapping a t-graph Gt with a 
physical graph Gp. The probability p c that any two nodes, say, Si and Sj, are connected by an edge in 
Gdt is given by: 

Pc =p(Si,Sj) 

= Pr[{(si, 8j ) £ E(G P )} A {( Si , 8j ) £ E(G T )}\ 

— Phnk 

— M-Ti, ) 2 b ^H^V(G T ) de 9( s i) 
-U Pdie) „_i i„(„_i) 



V 1 MieJ „_! n(n-l) 



i(n-l) 

Note that p c in the deployed trust graph and its counterpart in the original t-graph differ by a factor 

of 

Plink as mentioned in the last section. Suppose the minimum and maximum degrees of Gt are de- 
noted by e min and 9 max respectively. Since n6 min < J2 Sl eV(G T ) deg(si) < n6 max , we have the edge 
connectivity probability p c given by 

/-, \2 b6 m i n . 2 b9 max 

(1 - Pdie) —2 < Pc < (1 - Pdie) 



I i \2 — rc — \^ fate , ,n • 

[n — \y (n — \y 

This edge connectivity probability determines whether the deployed t-graph remains connected. As 
a rough estimate, the required minimum degree of the original t-graph could be determined using pu n k, 
which is summarized as below. 

Theorem 1 To ensure that the deployed t-graph is connected (with reasonably high probability) for a 
given punk, the minimum degree of the original t-graph Gt is (1 — Pu n k)\E{GT)\ + 1. 

Proof The probability that an edge in Gt is deleted is given by (1 — pu n k), then the expected number 
of edges deleted from Gt is given by a = (1 — Pu n k)\E{GT)\- To ensure that the deployed graph is 
connected after deleting a edges, Gt must be a + 1 edge-connected, thus implying a minimum degree 
of a + 1. ■ 

A more accurate estimate for the required degree could be determined using the Erdos and Renyi 
random graph [25], but such an extension will not be discussed in this paper. 

3.3 Energy Consumption 

Suppose two nodes Si,sj (connected by a virtual edge in the deployed t-graph) establish a new edge 
through an acquaintance chain, the energy consumption is given by 

W(si, sj) = d DT (si, Sj) + 1 

where dorisi, Sj) is the distance between Si and Sj in the deployed t-graph. Note that this equation also 
applies to neighboring nodes with dp,T(si, Sj) = 1- Overall, the maximum energy consumption W max 
over all node pairs is equal to the diameter of the deployed t-graph, that is, 

W max = D DT + 1 
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Recall that Gp is the physical graph and we wish to establish trusted links on all edges of Gp. The 
average energy consumption per node pair W is given by 

W=1+ \E^Y\ £ d DT (s uSj ). 

1 V ^ n {s t , Sj )£E(G P ) 

The above energy consumption indices have a unit of average energy per 1-hop transmission and 
are expressed in terms of the diameter and distances in the deployed t-graph after vertices and edges are 
deleted from the original t-graph; they do not help in the design of KPS for a sensor network in which we 
can only control the diameter and distances in the original t-graph. In fact, without the knowledge of the 
connectivity of the original t-graph, there is not much we can tell about the diameter or distance increase 
in the deployed t-graph. For general t-graphs, the following theorems by Chung et. al. [5] could be 
helpfuli Nevertheless, without knowledge of the original t-graph, the bound about deletion of vertices 
does not do any better than the loose bound Ddt < (n(l — pdie) — 1)- However, if we assume the 
fraction of dead nodes is negligible, the bound about edge deletion could be useful. 

Theorem 2 Diameter Increase After Edge Deletion [5], For a t + 1 edge-connected graph G with 
diameter D(G) where t > l,ift edges are deleted from G, the resulting graph G' has the following 
diameter upper bound: 

D(G') < {t + l)D(G)+t 

Theorem 3 Diameter Increase After Vertex Deletion [5]. For a X vertex-connected graph G having n 
vertices with diameter D(G), for t < X, ift vertices are deleted from G, the resulting graph G' has the 
following diameter upper bound: 

D(G') < L^y^J + 1 

Although it is almost impossible to find a nice upper bound on the diameter Ddt and average dis- 
tance dor of a deployed t-graph Gdt obtained from any general t-graph, in the following, we will 
characterize a t-graph with its node degrees, diameter and mean distance, and the minimum number of 
disjoint paths between any pair of non-adjacent vertices with a view to obtaining some bounds for the 
energy consumption indices. The result is given by the following claim: 

Theorem 4 Suppose a t-graph Gt with n vertices, diameter Dt, average distance dx and minimum 
degree 9 m i n , and each pair of vertices in Gt have at least f disjoint shortest-path acquaintance chains. 
Given the diameter Ddt of the resulting deployed t-graph Gdt (obtained by overlapping with a physical 
graph), the average distance dp>T of Gdt taken over all physical neighbors is bounded above by the 
following: 



d DT <d T + {D DT - 2) 1 - ■ P 

n — 1 ' 



3 A t edge-connected graph is a connected graph such that if less than t edges are removed, the graph remains connected. 
Similarly, a t vertex-connected graph is a connected graph such that is less than t vertices are removed, the graph remains 
connected. 
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where P 



1 



(i-P^-M^i) 



Proof Suppose we pick two node Sj and Sj which are physical neighbors. Let their distance in Gt 
be d! = d(si, Sj) < Dt- Assume there are /' > / disjoint path of this length. There are d' edges and 
{d' — 1) vertices between Sj and Sj in Gt- 



Pr[l path remains connected in Gdt] 
Pr [All /' paths are disconnected in Gdt] 

The probability of disconnection between Sj and Sj is: 



< 



l-d-p^ef'- 1 f^T 



l-(l-te)^- 1 



n-1 



D 7 



Pr[si, Sj are not neighbors in Gt and all /' paths are disconnected] 



< 



1 



n—l 



1 - (1 -p di , 



\D 1 



D T 



Note that d' > 2 and the new distance between Sj, Sj should be at most -Ddt (diameter). Therefore the 
distance increase is given by Ad(sj, Sj) < -Ddt — 2. 

Since whether two nodes are physical neighbors are randomly picked, we could take the mean dis- 
tance dx in Gt as the mean distance of the subset of pairs connected by physical links. As a result, the 
new mean distance doT in Gdt is given by: 

1 



dpT = dT + 



\E{G P ) 



E 



p dc Ad(si,Sj). 



This concludes the proof. ■ 

Depending on the scenario in question, we could use the bound in Chung's theorem (Theorem [2]) 
or the very loose bound n(l — Pdie) — 1 to substitute Dtjt in this equation. Note also that the average 
energy consumption W is given by 



W < 1 + d T + (D DT - 2) 1 



n 



1 



1 - (1 -p di , 



\D T -1 



b 



n 



1 



D T 



f 



From this equation, we can easily see that as the mean distance dT or diameter Dt of the original PR 
graph drops, the average energy consumption W drops, and as the minimum number / of disjoint paths 
or the minimum degree 6 m i n of the original graph increases, the average energy consumption decreases 
(which is expected). If Chung's theorem is used, for Dt = 2, there is almost a linear relationship 
between W and vertex degree 6 of a regular graph in which 9 max = 8 m in = 0- 

Although the connectivity discussed is Section [3^21 can be considered as a special instance of neigh- 
borhood connectivity with h = 1, we should distinguish between the two as the former refers to the 
whether a t-graph remains connected after edges and vertices are deleted from it due to limited radio 
range and dead nodes in the actual deployment, and without the energy consumption constraint, all 
edges in a physical graph could be connected. 
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4 Storage Lower Bound 



Without loss of generality, we could assume that each edge in a t-graph is assigned a unique, distinct key, 
and as a result, the degree of a vertex in the t-graph is the key storage requirement at it. The following 
theorems relate the diameter and mean distance of a t-graph with its node degree. This also states the 
storage lower bound for any key predistribution scheme for a given key path length that can be tolerated. 
These lower bounds apply to all key predistribution schemes and demonstrate the trade-off between 
storage and energy consumption for trust establishments in a sensor network. 

The following two theorems give the minimum initial secret key storage needed for bootstrapping a 
sensor network subject to a certain maximum length restriction on the acquaintance chain. 

Theorem 5 Given a t-graph Gt having n vertices with diameter Dt, far the maximum node degree 
Omax > % the fallowing holds: 

Omax > 1 + 

Proof Randomly pick a node Sj, there are at most Q max nodes 1-hop away. At 2 hops away, there are 
at most 6 max (6 max — 1). At i hops away, there are at most 6 max (9 max — Hence, the total number 

of nodes within Dt hops away from Sj is given by: 

1 ~t~ @max ~i~ @max(@max 1) ~\~ ■ ■ ■ ~\~ OmaxiPmax 1) T 

Since any two nodes in Gt should be no more that Dt hops apart, the above number should be greater 
than n, that is, 



n 



<S 1 + dmax ~\~ @max(fimax !) + ••• + Qmaxifimax 1) T 



-J^ _j_ @max[(@max 1) T 1] 

@max ^f) m ax(^maa 1) ^ ~ 

Ornax 2 
Qmax\@max 1) ^ 2 



'max 



< dmax{e Zlx 1)DT (assuming 6 max > 2) 

= ifimax 1) T • 

As a result, 9 max > 1 + D %/n. ■ 

We can derive the storage lower bound easily and is stated as follows. 

Theorem 6 For a maximum acceptable key path length D, the minimum key storage 6 m i n (n, D) needed 
at each node for a sensor network with n nodes is given by: 

Onnn{n,D) > 1 + ^. 

In order to achieve resiliency against dead nodes and links which happen right after the sensor net- 
work is deployed, additional key storage provision is usually needed to allow alternative choices for the 
acquaintance chain between any two sensor nodes. Doing a similar analysis, we can arrive at the follow- 
ing corollary for a t-graph wherein any pair of non-adjacent vertices are connected by at least / disjoint 
paths. 



11 



Corollary 7 Given a t-graph Gt having n vertices with diameter Dt and there are at least f disjoint 
paths between any two non-adjacent vertices, for the maximum node degree 9 max > 2, the following 
holds: 



'max 



> 1+ D yjn 



The above theorem in essence tells us that if we want to ensure that any two sensor nodes could 
authenticate each other through another node, we need at least a square root storage (with respect to the 
total number of nodes) at each sensor node. If we could tolerate a longer acquaintance chain, say 3 hops, 
we only need a cube-root storage per node. Node that this discussion does not take into account of the 
deleted edges or vertices in the actual sensor network, but combined with the results of the last section 
and the following theorem on average distance, we can determine the minimum 9 ma x needed to meet a 
given W constraint. 

Theorem 8 Given a t-graph Gt having n vertices with diameter Dt, maximum degree 6 ma x > 2 and 
minimum degree 9 m in > 2, the following holds for the mean distance d.T-' 

d-L < dr < djj 

where d L = D T - ( w -i)fc,- 2 )^ ( g max " ^)° T 

and d v = D T - (n - 1)( L n _ 2) [(flmin - 1) Dt " {Dt + !)]• 

Proof Suppose we first consider a regular graph with node degree and diameter D. Picking any node 
Si, the number of nodes at 1 hop away is 6, at i hops away is 6(0 — l)* -1 . We could take the number of 
nodes at D hops away to be (n — 1) minus the sum of all these. The mean distance d(6) for this regular 
graph could be computed as follows: 

(n- 1)3(0) = l-e + 2-9{6-l) + ... + {D-l)-9(8-l) D - 2 

+£> ■ [(n - 1) - (0 + 0(0 - 1) + . . . + 0(6 - l) D - 2 )] 

= eh ES 1 W ~ l) 1 " 1 + (" - ~ eh EZ~i\0 ~ I) 1 

- nrn 11 i e (g-i)(e-i) D+1 -g(e-i) p +(e-i) n e (e-i) D -i 

— uyn L) -f g _ 1 (e-2) 2 u e-\ (0-2) 
= D(n - 1) - (0 _ 1} f g _ 2) , [(g - 1) D+1 -(D + 1)(0-1) + D] 

- MR , n e-[(e-i) D ^-(D + i)(9-i) + D] 

d{d) ~ D (n-l)((9-l)(6l-2)2 • 

For a general graph, the mean distance cZt should be smaller than d(9 m i n ). That is, 



So, we have 



J < Tl — ^min[(Smin — ^) DT + 1 — {DT + ^)(^min — ^) + DT\ 

aT - UT {n-i)(e mT -i)(e mm -2y 

j~\ S m i„[(0 m i n — 1) T+ 1 — (Dr+l)(g, n ; ra — 1)] 

T (n-l)(0 m „ l -l)(0 mln -2) 2 

■ K^m-l) D r-(gT + l)] 



, n [{emin-iyT -{D T +\)} 
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Similarly, dx > d(9 max ), and we have 



J "~> r) 8max [(dmax —1) D T + 1 — [flj + l)(9max ~ 1) + Dt] 

aT - (n-l){e max -l)(8 max -2y 

> D T Qmax (a _ 1]Dt+1 

> UT (n-l)(8 ma x-l)(e ma x-2)^ \°max 
~ (n-l)(fl mM -2)^"«*= " L ) ■ 



This concludes the proof. 



4.1 An Upper Bound on the Probability of Compromise 

We have not considered trading off security for reduced storage in the discussion so far. When a node 
is compromised, its keys would not leak out any other keys held by other users except the indirectly 
established keys through this compromised node and the nodes in question could always establish another 
indirect key through an alternative acquaintance path. 

In order to reduce key storage, we could repeat the usage of the keys, say, the a key of a user is shared 
with a multiple of its neighbors in the t-graph up to a maximum g. We could view the key assignment by 
a labeled or colored t-graph of key graph such that each distinct label or color corresponds to a key. In 
the case of repeated key usage, a color would appear more than once in the colored t-graph. Hence, when 
a key is compromised, all edges in the graph with the same label or color would be affected and cannot 
be used. The following theorem bounds the number of links affected when a node is compromised. 

Theorem 9 Given a t-graph on n vertices with maximum and minimum vertex degree 9 ma x and 9 m in 
and diameter D. Suppose each node in a sensor network uses a single key for at most g times. The 
fraction Pcompromise of links affected is bounded by the following: 

9 ^ max ^ -. -. i 

Pcompromise n a / J 

9 " ^"min 

Proof When a node is compromised, at most 9 max neighbors are affected and each of which affects at 
most (g — 1) neighbors. Hence, the total number of nodes affected is bounded by: 

n' = O m ax + Omax(g — 1) + 9 max {g — l) 2 + . . . + 9 max (g — 
8 m ax[(g-±) D -i] 

9-2 

There are at most g edges in each of them are affected. As a result, the maximum number of edges 
affected is given by The total number of edges in a t-graph is at least n6 ™ in . As edges and vertices 
are randomly deleted, we can therefore take this as the fraction ^ 9 over a t-graph as that in the actual 
network. ■ 

Note that Theorem|9]can be easily extended for multiple compromised nodes. A straightforward but 
less tight bound can be obtained by adding a multiplicative constant. 
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5 Optimal Trust Graph Constructions 



To design an optimal key assignment for a given sensor network scenario, we usually need to construct 
a t-graph of n vertices with minimum vertex degree subject to the following constraints: 

• a given diameter D; 

• a given minimum number of paths between two non-adjacent vertices /. 

5.1 Construction 1: Heuristic Approach 

To construct such a graph, we could use a naive heuristic approach as follows: We start with a complete 
graph K n on all the n vertices. For each edge in K n , delete it and check whether the constraints are still 
fulfilled. If yes, update the graph, otherwise add back the edge. 

5.2 Construction 2: de Bruijn Graph 

If we just consider / = 1, we could use the de Bruijn graph family [9, 26] and their variations which 
have very simple and nice structure. 

The basic construction consists of the vertex set {(a\, 02, . . • , a p , . . . , a r ) : a p S [1, q]}, with 
(oi, aii ■ ■ ■ 1 a pi ■ ■ ■ ; a r) adjacent to (02, . . . , a p , . . . , a r , b) for any b £ [1, q\. Since the de Bruijn graph 
is well known, there are various methods to construct it for different number of vertices [7, 14]. 

Such a graph has degree 8 = 2q and diameter D = r on n = q r vertices. Note that 9 = 2 ^fn which 
is just about two times of the lower bound given by Theorem[5] 

5.3 Construction 3: A variation of de Bruijn Graph 

If we do not insist on any value of /, the following variation for / > 1 could be used. Again, the vertex 
set is {(di, a,2, ■ ■ ■ , a p , . . . , a r ) : a p G [1, q]} but q has to be prime. Randomly pick u > r vectors from 
Zg, say bi, b2, ■ ■ ■ , b u , such that any r of these u vectors form a basis of 17 . A vertex a is made adjacent 
to a + xbi, for all x E Z* and 1 < i < u. 

Such a graph has degree 9 = u(q — 1) and diameter D = r on n = q r vertices and any pair of 
nodes are connected by ^ r ^, paths and u disjoint paths. Note that 9 rj / ^/n. The reason for this is as 
follows: 

Given any pair of vertices ai and a2, the difference ai — a2 could always be expressed as a lin- 
ear combination of any r vectors from {bi,b2, ■ ■ ■ , b u }. Suppose we pick r of them and call them 
ci, C2, ■ • • , c r . Then, ai = a2 + xici + X2C2 + . . . + x r c r for some xi, X2, . . . ,x r . Note that ai is 
adjacent to ai + xic\, which in turn is adjacent to ai + x\C\ + X2C2 and so on. In other words, a2 is 
reachable from ai in at most r hops. Hence, the diameter D = r. Since there are r! ways in traversing 
these r vertices and (") possible combinations of these r vertices, we have the total number of paths is 

( u ) r \ = "! 
\r) ' (u—r)\ ' 
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6 Conclusions 



We apply graph theory to study key assignment methods for key predistribution in wireless sensor net- 
works. We map the parameters of a key predistribution scheme with that of a t-graph, which represent 
the trust relationships between sensor nodes. We give a storage lower bound and an upper bound on 
compromising probability of key predistribution schemes with a given design constraint of maximum 
acceptable key path length. We also show a number of near optimal construction from graph theory. We 
believe better constructions can result via the proposed framework. 
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